POL Information Systems Access Policy. History: First issued: November 5, Revised: April 5, Last revised: June 18, 2014

Transcription

1 POL Information Systems Access Policy Authority: History: First issued: November 5, Revised: April 5, Last revised: June 18, 2014 Related Policies: NC General Statute Accessing computers Additional References: North Carolina General Statute Statewide Security Standards Office of the State Chief Information Officer Statewide Information Security Manual Contact Information: Associate Vice Chancellor for Information Technology and CIO, ( ) 1. SCOPE 1.1 This policy is the basis for operations and procedures to be followed by technical staff, as well as all individuals who access or use the information technology resources of UNCP. 2. ACCOUNTS 2.1 Accounts are the means by which systems identify users and grant them access to resources. Proper administration of accounts is essential to maintain security and data integrity. User accounts are created using standard procedures and deleted in a timely manner. Access to system resources is provided on an as-needed basis Only authorized users may access university computer systems Faculty, staff and students are assigned accounts upon application Temporary employees may be assigned accounts for the duration of their employment UNCP approved and recognized volunteers may be assigned accounts for the duration of their volunteer involvement Employees of other agencies or vendors are assigned accounts for the duration of their need for the account Retired faculty and staff may apply to retain their account Alumni may retain access to an account that provides access to limited services as approved by university leadership. 1

2 2.1.8 Applications for academic systems do not require additional approval Applications for administrative systems require approval by the supervisor and appropriate data steward or manager Applications for group Web accounts require approval by the appropriate Web Information Coordinator Except as authorized in other policy, an individual user may not use a generic account The chancellor and vice chancellors retain the right, in an emergency, to grant access to data contained in a user account of an employee in their respective division or office. Emergencies may include, but are not limited to, the death or incapacity of an employee. 2.2 Enforcement All accounts assigned to an employee are expired or deleted upon notification from Human Resources that the employee has separated from the university. Accounts may be locked in lieu of prompt deletion. Any supervisor in the employee s reporting structure may request employee s accounts on administrative systems be expired or locked earlier by contacting the Division of Information Technology (DoIT) directly Adjunct faculty accounts are terminated upon notification of the appropriate dean. The academic deans will review accounts for adjunct and part-time faculty each spring and fall semester for continued activation Retired UNCP faculty and staff, upon request, may continue to use their user account to access their university An administrative account assigned to an employee is expired or deleted upon notification to DoIT from the appropriate data steward or manager that the employee no longer requires the account Access privileges on an administrative account are changed upon notification from the appropriate data steward or manager that the employee requires different access privileges Upon notification of an employee transfer by Human Resources, the appropriate data steward or manager shall be contacted to determine the continued need for an administrative account A group Web account assigned to an employee is expired or deleted upon notification from the appropriate Web Information Coordinator that the employee no longer requires the account A student account is retained until the student graduates or has not enrolled for two normal semesters (fall or spring). Access to wireless, classroom, laboratory and residential networks shall be removed during the first normal semester in which the student does not enroll. 2

3 2.2.9 UNCP employees and students gaining access with unauthorized accounts, found compromising account security, or allowing unauthorized access may be subject to disciplinary action which may include dismissal. 2.3 Passwords Passwords shall adhere to the following requirements: a. Consist of a minimum of eight characters; b. Contain at least one character from three of the following four categories: uppercase letters, lowercase letters, digits and symbols; c. Shall not contain more than two consecutive letters from the full name or username; d. Shall not contain dictionary words or abbreviations; and e. Shall not contain dictionary words or abbreviations modified by substituting special characters or digits for letters Passwords shall be changed whenever there is a chance that the password or the system could be compromised, or whenever the password may have been revealed to an un-authorized party Passwords shall not be reused until a minimum of six additional distinct passwords has been used Passwords shall have a minimum age of five (5) days and shall expire every ninety (90) days. Passwords with any degree of system privileges beyond a typical user account on the system shall expire every thirty (30) days Accounts with normal user access shall be automatically locked after five (5) failed authentication attempts. Accounts with any degree of system privileges on enterprise systems shall be automatically locked after three (3) failed authentication attempts Passwords used for accounts with any degree of system privileges shall be different from all other passwords for accounts used by the user Passwords used on university systems shall not be used on external, non-university systems Passwords shall not be stored in web browsers or other applications that provide automated password input Passwords shall not be written down, stored in clear text or transmitted in . 3

4 Passwords for service accounts shall be changed at least every one hundred and eighty (180) days, and may be changed more frequently. Passwords for service accounts shall not be configured to automatically expire. Passwords for service accounts shall be changed promptly following the transfer or separation of any employee with access to the password, or following the end of a project or service engagement in which third parties had access to the password. A Service Account is an account created by system administrators or vendors for automated use by an application, operating system or network device Passwords for visitors, contractors and other third parties shall meet all other requirements of this section. In addition, passwords shall not be disclosed to these parties until such time as they are needed and passwords shall be immediately changed upon completion of access purpose. Accounts for third parties may be retained indefinitely but shall be inactive when not in use Passwords for alumni accounts may be exempt for password reset requirements if those accounts do not provide access to protected or sensitive data. 2.4 Enforcement Systems that have the capability are to warn users within 20 days of password expiration Users with multiple accounts are to use multiple passwords UNCP employees gaining access using another user s account and password, found compromising account security, or allowing unauthorized access may be subject to disciplinary action which may include dismissal in accordance with federal, state and local laws and policies All systems shall implement a means of locking or ending an idle session. Desktops and laptop shall employ password protected screen savers. 2.5 Privileged accounts on administrative systems Privileged accounts on administrative systems have the potential to impact not only the operation of those systems, but also have a major impact on the entire university Where facilities permit, all activity in accounts with system privileges on administrative systems must be monitored Where facilities permit, all activity in accounts with production privileges and access to command procedures or source programs on administrative systems must be monitored Monitoring of accounts must be completed routinely. Logs of monitoring activity must be maintained. 4

5 2.5.5 Where facilities do not permit monitoring as described in and 2.5.3, above, alternative forms of controls must be employed. 3. PHYSICAL SECURITY 3.1 Physical security deals with controls over direct physical access to system components and network devices. Physical security is a key layer of overall security and is the foundation of several other layers. Physical security must be maintained at all times. 3.2 Machine room access and security The machine room(s) store(s) valuable equipment and sensitive data and must be secured at all times Machine room doors are to remain locked at all times Machine room windows are to be screened to prevent access Normal office hours are Monday-Friday, from 8 a.m. to 5 p.m. At all other times, doors to offices adjacent to the machine room(s) are to remain locked Only authorized personnel are permitted access to the machine room(s) DoIT personnel whose duties require routine access to the equipment within the machine room(s) are permitted to retain the combination. A list of these personnel shall be maintained in the Office of the CIO Personnel whose duties require occasional access to the machine room(s) are not permitted access to the combination. These personnel may have access to the machine room(s) only as long as their duties require and must be supervised by DoIT personnel with access to the combination. These personnel include housekeeping, maintenance or other university staff as well as vendor representatives. 3.3 Enforcement Upon the approval of the Chief Information Officer, the Associate Chief Information Officer, the Assistant Chief Information Officer or the Director of Network and System Administration, guests may tour the machine room(s). Guests are to be supervised by DoIT employees with access to the combination at all times Any guest or personnel without access to the combination must sign in and out whenever they enter and leave the machine room Combinations to the machine room doors are changed periodically or whenever any staff member with access to the combination leaves the university s employment or is assigned duties that do not require access to the machine room(s). 5

6 3.3.4 UNCP employees found accessing these rooms without just cause, gaining access without following approved policy and procedure guidelines, compromising room security, or allowing unauthorized access may be subject to disciplinary action which may include dismissal in accordance with federal, state and local laws and policies. 3.4 Network closet access and security Network closets store valuable equipment and allow direct access to network devices. They must be secured at all times Network closet doors are to remain locked at all times Network closet windows are to be screened or barred to prevent access Only authorized personnel are permitted access to network closets DoIT personnel whose duties require access to the equipment within the network closets are permitted to obtain a key. A list of these personnel shall be maintained in the Office of the CIO In those cases where network closets are also used for other purposes, networking equipment is to be secured within a locked cabinet Non-DoIT personnel desiring to gain entry into mechanical rooms that also serve as institutional data closets must check out the door key using normal key checkout procedures within Facilities Management. The person checking out the key must provide their name as well as the date and time the key is checked out. A justification for accessing the room must also be included. This is accomplished through the key sign-out log kept by facilities staff in the work control center While accessing the closet, security of the doors must not be compromised in any manner nor should the door be left open without personal supervision. Unauthorized employees must not be allowed to enter the mechanical/data closet space. The individual checking out the key is accountable for the security of the mechanical/data closet space until the key is returned Non-university personnel cannot be issued a key to any mechanical/data closet. Keys will only be issued to the responsible UNCP employee. The listing of UNCP personnel approved to obtain a key will be kept in the key log in Facilities Management. If the work is contracted, then the contractor is to be supervised by DoIT staff and/or Facilities Management staff during the work. The Facilities Management Director will review the key log file for compliance Upon completion of the necessary access, the person checking out the key must return the closet key and include the date and time of the return. 3.5 Enforcement 6

7 3.5.1 All access to mechanical/data closet by UNCP personnel other than DoIT staff must be recorded as part of Facilities Management s key check-out process. UNCP employees found accessing these rooms without just cause, gaining access without following approved policy and procedure guidelines, compromising room security, or allowing unauthorized access may be subject to disciplinary action which may include dismissal in accordance with federal, state and local laws and policies Upon the approval of the Chief Information Officer, the Associate Chief Information Officer, the Assistant Chief Information Officer or the Director of Network and System Administration, guests may tour a network closet. Guests are to be supervised by DoIT employees. 3.6 Office access and security The offices of DoIT contain a great deal of valuable equipment and sensitive data. The offices must be secured at all times Normal office hours are Monday-Friday, from 8 a.m. to 5 p.m. At all other times, the doors to the offices are to remain locked Only DoIT personnel are allowed keys to the offices Temporary and student workers are not permitted to retain keys to the offices, unless their duties require them to enter after normal office hours Only the Associate Vice Chancellor for Information Resources, the Associate Chief Information Officer, the Assistant Chief Information Officer and the Director of IT Planning and Budget and the university locksmith are permitted master keys to each office. DoIT staff should be aware of any visitors and monitor their actions. 3.7 Operator area access and security The operator area is a place for operators to work containing valuable equipment and sensitive data. It provides access to the machine room and must be secured at all times Normal office hours are Monday-Friday, from 8 a.m. to 5 p.m. At all other times, the doors to the operator s area and adjacent offices are to remain locked All DoIT personnel are permitted access to the operator s area during the normal office hours Other university staff, guests or vendor representatives whose duties require their present in the operator s area are to be supervised by DoIT staff at all times DoIT personnel should be aware of any visitors and monitor their actions. 7

8 3.7.6 DoIT personnel whose duties require access to the machine room are permitted to retain the combination to the operator s area. A list of these personnel is maintained in the Office of the CIO. 3.8 Enforcement UNCP employees found accessing the Operator Area or DoIT offices without just cause or gaining access without following policy guidelines, compromising room security, or allowing unauthorized access may be subject to disciplinary action which may include dismissal in accordance with federal, state and local laws and policies. 4. RETENTION OF FILES FROM EXPIRED OR DELETED ACCOUNTS 4.1 Although a user account may be expired or deleted, data files stored in those accounts may be important to the university. 4.2 Files in individual directories from expired or deleted accounts on administrative systems may be reviewed and copied by the appropriate data steward or manager or by application staff from DoIT. 4.3 The supervisor shall review and retain files on desktops or laptops from expired or deleted accounts, as described in other policy. These files shall be deleted before the desktop or laptop is re-purposed or disposed. 4.4 Files in individual directories on storage systems shall be reviewed and copied by the supervisor as described in other policy. The files shall be deleted after six months. 4.5 Files in individual directories from expired or deleted accounts on academic systems will be kept for six months and then deleted. 4.6 Files in individual directories from expired or deleted accounts on Web systems will be kept for six months and then deleted. 5. DATA RETENTION 5.1 Various federal and state requirements exist that dictate the amount of time for which the university must retain data. It is the responsibility of the employee s former supervisor to ensure that data in an employee s files are retained according to these requirements. 6. ACCESS TO PROGRAMS AND COMMAND PROCEDURES 6.1 Access to programs and command procedures has the potential to make a significant impact on the university. This impact includes risk associated with allowing access to confidential information, trade secrets or other materials under the constraints of a non-disclosure agreement. 8

9 It also includes risk from users or intruders bypassing normal security methods to access or copy confidential information. 6.2 On administrative systems, read access to the source code of programs or command procedures shall be restricted to those administrators or developers whose duties require maintenance or support of the software. 6.3 On Web systems, read access to the source code of programs of command procedures shall be restricted to those administrators or developers whose duties require maintenance or support of the software. 9